Re: Session Issue

From: Nicole Calinoiu (calinoiu)
Date: 10/21/04


Date: Thu, 21 Oct 2004 16:07:42 -0400


"Shabam" <blislecp@hotmail.com> wrote in message
news:Eq2dnS0UOqgGlOXcRVn-gg@adelphia.com...
> Checking for existence of data is good, but how about checking also when
> the
> client attempts to submit data? For instance, if user A were somehow able
> to pull up a configuration page for user B, (perhaps by copying user A's
> html source code), then try to submit that. Shouldn't the application
> check
> permissions again then?

Of course. You had mentioned GET requests which, by convention, do not
submit data for storage on the server, so I only covered reads. For writes,
you should probably also keep in mind that updates and additions may have
different permissions rules on at least some pages. In addition to read and
write operations, you might also need to consider deletions if your
application allows these.